Fed. Judge Says FTC Can Sue over Poor Data Security

Usually, companies quietly settled. But this time was different. In 2012, the FTC accused the hotel group Wyndham Worldwide of carelessness after hackers stole customer credit card information and caused more than $10 million in fraudulent charges.

Rather than settle, Wyndham questioned the FTC's authority in U.S. District Court in Newark, saying Congress never gave the agency the right to bring enforcement action over data security. See, “FTC Expanding Its Role in 'Internet of Things' Security,” in the October 2013 issue of e-Commerce Law & Strategy.

Wyndham also argued it was denied due process because neither Congress nor the FTC has published data-security standards or guidelines. The U.S. Chamber of Commerce, among others, filed an amicus brief supporting Wyndham.

But on April 7, U.S. District Judge Esther Salas denied Wyndham's motion to dismiss the FTC's case, saying the agency has authority under Section 5 of the Federal Trade Commission Act to bring enforcement actions against companies with business practices that are considered “unfair or deceptive.”

Craig Newman, managing partner of Richards Kibbe & Orbe, told Corporate Counsel: “I think the biggest challenge for companies and for their general counsel in assessing the Wyndham decision is the fact that it gives very little guidance to companies on what the FTC considers to be 'reasonable' data-protection standards. And those standards can vary by company and by industry and by type of consumer data a company maintains.”

Newman, a former general counsel at two companies, said the FTC argued that a company's data security must meet a reasonableness test.

“But if you're a company, 'reasonableness' is a pretty big target to shoot at,” he said. “If a company guesses wrong, it will be in the crosshairs of an FTC enforcement action.”

The agency argued in court that there are voluntary industry standards on cybersecurity, and its consent orders signed with other companies illustrate what it considers reasonable practices. The FTC also argued that this area of law is constantly evolving and it needs to define fair and reasonable practices on a case-by-case basis.

Salas' ruling seemed to agree, saying the climate of this case “undoubtedly raises a variety of thorny legal issues that Congress and the courts will continue to grapple with for the foreseeable future.”

Her 42-page ruling was carefully constructed and did not deal with the merits of the case. “This decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” she warned. (A PDF of the ruling is available at http://bit.ly/1itN4b9.)

Still, Newman sees the decision emboldening the FTC. “It certainly is going to put some wind in their sails,” he said. “This clearly is going to be a test case. And I suspect that Judge Salas is not going to be the last word, and that this will find its way up through appellate court.”

But first Wyndham must decide if it's going to keep fighting or settle after losing this opening round.

Cowie also co-authored an article on the ruling's implications. It states: “This precedent will give the FTC greater leverage over companies under investigation and an enhanced ability to force companies to undergo expensive litigation over the reasonableness of their data-security practices.” See, “Court Sides with FTC on Sweeping Data Security Role,” Dechert.com.

The article adds, much to the dismay of GCs, that the practical effect of the decision may extend into private litigation.

Sue Reisinger is a Senior Reporter for Corporate Counsel magazine, an ALM sibling of e-Commerce Law & Strategy.

In a case being closely watched by general counsel, a federal judge ruled last month that the Federal Trade Commission (FTC) has the authority to take legal action against companies that have faulty security practices for consumer data.

“The FTC can now speak with an authoritative tone on what amounts to reasonable data-security practices. Inside and outside counsel will have to listen,” attorney Michael Cowie told e-Commerce Law & Strategy's ALM sibling Corporate Counsel. Cowie, a partner at Dechert in Washington, DC, is a former assistant director and senior litigation counsel at the FTC.

The FTC has gone after companies for the last 10 years for bad data-security protection when consumer information was put at risk, but no one challenged the agency until now.

Usually, companies quietly settled. But this time was different. In 2012, the FTC accused the hotel group Wyndham Worldwide of carelessness after hackers stole customer credit card information and caused more than $10 million in fraudulent charges.

Rather than settle, Wyndham questioned the FTC's authority in U.S. District Court in Newark, saying Congress never gave the agency the right to bring enforcement action over data security. See, “FTC Expanding Its Role in 'Internet of Things' Security,” in the October 2013 issue of e-Commerce Law & Strategy.

Wyndham also argued it was denied due process because neither Congress nor the FTC has published data-security standards or guidelines. The U.S. Chamber of Commerce, among others, filed an amicus brief supporting Wyndham.

But on April 7, U.S. District Judge Esther Salas denied Wyndham's motion to dismiss the FTC's case, saying the agency has authority under Section 5 of the Federal Trade Commission Act to bring enforcement actions against companies with business practices that are considered “unfair or deceptive.”

Craig Newman, managing partner of Richards Kibbe & Orbe, told Corporate Counsel: “I think the biggest challenge for companies and for their general counsel in assessing the Wyndham decision is the fact that it gives very little guidance to companies on what the FTC considers to be 'reasonable' data-protection standards. And those standards can vary by company and by industry and by type of consumer data a company maintains.”

Newman, a former general counsel at two companies, said the FTC argued that a company's data security must meet a reasonableness test.

“But if you're a company, 'reasonableness' is a pretty big target to shoot at,” he said. “If a company guesses wrong, it will be in the crosshairs of an FTC enforcement action.”

The agency argued in court that there are voluntary industry standards on cybersecurity, and its consent orders signed with other companies illustrate what it considers reasonable practices. The FTC also argued that this area of law is constantly evolving and it needs to define fair and reasonable practices on a case-by-case basis.

Salas' ruling seemed to agree, saying the climate of this case “undoubtedly raises a variety of thorny legal issues that Congress and the courts will continue to grapple with for the foreseeable future.”

Her 42-page ruling was carefully constructed and did not deal with the merits of the case. “This decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” she warned. (A PDF of the ruling is available at http://bit.ly/1itN4b9.)

Still, Newman sees the decision emboldening the FTC. “It certainly is going to put some wind in their sails,” he said. “This clearly is going to be a test case. And I suspect that Judge Salas is not going to be the last word, and that this will find its way up through appellate court.”

But first Wyndham must decide if it's going to keep fighting or settle after losing this opening round.

Cowie also co-authored an article on the ruling's implications. It states: “This precedent will give the FTC greater leverage over companies under investigation and an enhanced ability to force companies to undergo expensive litigation over the reasonableness of their data-security practices.” See, “Court Sides with FTC on Sweeping Data Security Role,” Dechert.com.

The article adds, much to the dismay of GCs, that the practical effect of the decision may extend into private litigation.

Sue Reisinger is a Senior Reporter for Corporate Counsel magazine, an ALM sibling of e-Commerce Law & Strategy.